The Meta group, Facebook’s parent company, was fined Wednesday, January 4, two fines totaling 390 million euros for violating the General Data Protection Regulation (GDPR), announced the Irish Data Protection Commission (DPC), which acts on behalf of the European Union. Meta violated “its obligations in terms of transparency” and relied on an erroneous legal basis “for its processing of personal data for advertising purposes” targeted, explained the Irish regulator in a press release.
This sanction follows the adoption, at the beginning of December, of three binding decisions by the European Data Protection Board (EDPB), the sector’s regulator at Community level. The first two concerned offenses related to social networks Facebook, for which the fine amounts to 210 million euros, and Instagram, another subsidiary of Meta, targeted by the remaining 180 million euros. The latest, regarding WhatsApp, was later notified to the DPC and will be decided next week.
Privacy group Noyb, which initiated the three complaints, had accused Meta of reinterpreting consent “like a simple civil law contract”, which does not opt out of targeted advertising. In October 2021, the Irish authority had proposed a draft decision which validated the legal basis used by Facebook and suggested a fine of 26 to 36 million euros for lack of transparency. The National Commission for Computing and Liberties (CNIL) and other regulators in Europe had expressed their disagreement with this proposed sanction.
Meta will appeal
They had asked the EDPS to judge the dispute; the latter agreed with them on the question of the legal basis. The Noyb association welcomed on Wednesday a decision that will force Meta to put in place “a yes/no consent option” for the use of the personal data of its users, failing which the company “cannot use their data for personalized advertising”.
The company has three months to “bring its data processing operations into compliance”, said the DPC in its press release. Meta said to himself ” disappointed “ decisions and intends to appeal, “both of the merits and of the fines”. “The debate around the legal bases” for the processing of personal data “has been going on for some time and companies are facing a lack of regulatory certainty on the issue”says the company.
“These rulings do not prevent targeted or personalized advertising” and “advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets”, adds Meta. The company also believes that the DPC does not require it to set up a consent option and says it is evaluating a variety of solutions to change the legal basis for data processing. A source close to Meta clarified that the legal basis for “legitimate interest”provided for by the GDPR, was examined by the company.
The Irish authority, on behalf of the EU, already sentenced Meta in September to a fine of 405 million euros for shortcomings in the processing of data of minors and in November to a fine of 265 million euros for not having sufficiently protected the data of its users.
Apple condemned by the CNIL in France
In addition, in France, the CNIL imposed a fine of 8 million euros on Apple for having imposed advertising trackers on its users, without their explicit consent, it said on Wednesday. The investigation was launched after a complaint from the France Digital association, which brings together French start-ups and in particular software developers distributed by the American group’s application store.
The relatively limited nature of the fine is explained by the fact that Apple quickly brought itself into compliance during the CNIL investigation, which took place in mid-2021. In addition, these advertising identifiers only allowed Apple to target Internet users when they were browsing the mobile application store (App Store). Finally, the authority was only able to penalize breaches in France.
In fact, version 14.6 of the Apple operating system deposited ” by default “ identifiers on the brand’s mobile devices (iPhone, iPad, etc.) which allowed Apple to personalize the advertisements displayed on its application store. If the user did not want this advertising tracking, he had to uncheck a box in the device settings.
At the time of the complaint, the managing director of France Numérique, Nicolas Brien, had lambasted the ” Two weights, two measures “ from Apple. The Apple brand allowed itself a pre-ticked box for its plotters, while it recently imposed on third-party applications to request explicit consent from the Internet user for their own cookies. The sanction only concerns France, as it falls under the European e-Privacy Directive, which only allows national sanctions. The GDPR, which provides for sanctions at European level, does not apply in this specific case.